The NIS2 Directive (Directive (EU) 2022/2555) introduces a significant shift in the approach to cybersecurity. Its objective is not limited to protecting IT systems, but to ensure that essential services remain available even in the event of a serious incident. For this reason, business continuity has been explicitly identified as a mandatory element of cybersecurity risk management.
Article 21(2) of NIS2 establishes a minimum set of measures that must be implemented as part of cybersecurity risk management. This catalogue is functional rather than technical in nature and is grounded in an all-hazards approach, meaning preparation for a wide range of disruption scenarios.
It includes, among others, policies on risk analysis and information system security (point a), incident handling (point b), and—explicitly placed between them—the requirement to ensure business continuity, including backup management, disaster recovery and crisis management (point c).
NIS2 requires the implementation of measures that allow an organisation to maintain operational capability during an incident, not only after the incident has been resolved.
From this perspective, business continuity covers not only system availability, but also the ability to:
If an organisation loses these capabilities, then—even if backups and disaster recovery plans exist—it does not meet the functional objective of NIS2, which is to limit the impact of incidents on the provision of services.
Incident handling, as referred to in Article 21(2)(b), assumes continuity of response processes from the moment an incident is detected until it is contained. In practice, this requires maintaining communication between decision-makers, technical teams and other units involved in the response.
Many real-world cybersecurity incidents—such as ransomware attacks, DDoS attacks or failures of directory services—lead to partial or complete unavailability of IP-based infrastructure. Under such conditions, standard communication channels such as email, messaging platforms or cloud-based services may no longer be accessible.
The absence of an alternative communication channel may lead to situations in which:
From the perspective of NIS2, this results in an inability to effectively fulfil both point (b) (incident handling) and point (c) (business continuity).
Business continuity, as understood under NIS2, requires the existence of a communication channel that:
This is why Article 21(2)(j) refers to the need to use secure, including emergency, communication systems where justified by risk. This provision logically complements points (b) and (c), indicating that communication capability is one of the pillars of organisational resilience.
SMSEagle addresses these requirements by providing an independent out-of-band communication channel based on GSM/LTE networks. The solution does not rely on Internet connectivity or the organisation’s internal IP infrastructure.
In practice, it enables:
As a result, the SMSEagle hardware SMS Gateway may support the implementation of selected NIS2 requirements, in particular by strengthening communication capabilities relevant to incident handling (Article 21(2)(b)), business continuity and crisis management (Article 21(2)(c)), and secure emergency communication (Article 21(2)(j)).
NIS2 treats business continuity as an organization’s ability to function under conditions of disruption, rather than merely as a set of recovery plans and procedures. Incident handling and business continuity are inseparably linked in the Directive, with communication acting as a common element of both domains.
An organization that is unable to communicate and coordinate actions during an incident fails to achieve the functional objective of Article 21 NIS2, even if it formally maintains backups, disaster recovery plans and business continuity documentation.
In this context, solutions such as SMSEagle, which provide an independent out-of-band communication channel, may support compliance with NIS2 requirements in the areas of incident handling and business continuity. By decoupling communication from the primary IP infrastructure and Internet access, such solutions enhance organisational resilience in scenarios where standard communication channels are unavailable or degraded.
From the NIS2 perspective, this strengthens an organization’s ability to maintain minimal but essential operational capability during an incident, aligning with the Directive’s overarching objective of limiting the impact of disruptions on service delivery
The NIS2 Directive (EU 2022/2555) introduces a fundamental shift in the approach to cybersecurity risk management. An organisation’s responsibility no longer ends at its own infrastructure—it now explicitly extends to suppliers and service providers whose services are critical to business continuity.
The NIS2 Directive (EU) 2022/2555 replaces the 2016 regulatory framework, introducing harmonised cybersecurity governance requirements for essential and important entities across the European Union. One of its key operational provisions is Article 23, which defines the timelines and scope for reporting cybersecurity incidents to the relevant competent authorities and CSIRT teams.
The objective of the NIS2 Directive is to enhance the level of cybersecurity and operational resilience of organizations providing services that are essential and important for the functioning of the economy and society.
